Description
A vulnerability was detected in badlogic pi-mono up to 0.58.4. This issue affects some unknown processing of the file packages/mom/src/slack.ts of the component pi-mom Slack Bot. The manipulation results in authentication bypass using alternate channel. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass leading to unauthorized bot access
Action: Patch
AI Analysis

Impact

The vulnerability allows an attacker to bypass authentication by manipulating the Slack bot's handling of the packages/mom/src/slack.ts file. This results in an alternate channel being authorized without valid credentials, enabling unauthorized access to bot functionality.

Affected Systems

Affected software is badlogic pi-mono, specifically the pi-mom Slack Bot component, in all versions up to and including 0.58.4.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate risk. With no EPSS data and no listing in KEV, the likelihood of widespread exploitation is unclear, but the remote nature of the attack means a determined threat actor could exploit it to gain unauthorized control of the Slack Bot. No official vendor fix has been released yet.

Generated by OpenCVE AI on April 5, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available update that removes the authentication bypass in packages/mom/src/slack.ts
  • If updating is not immediately possible, restrict network access to the bot's communication endpoints to prevent remote exploitation
  • Continuously monitor Slack channel activity and authentication logs for unexpected access patterns

Generated by OpenCVE AI on April 5, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Badlogic
Badlogic pi-mono
Vendors & Products Badlogic
Badlogic pi-mono

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in badlogic pi-mono up to 0.58.4. This issue affects some unknown processing of the file packages/mom/src/slack.ts of the component pi-mom Slack Bot. The manipulation results in authentication bypass using alternate channel. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title badlogic pi-mono pi-mom Slack Bot slack.ts authentication bypass
Weaknesses CWE-287
CWE-288
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Badlogic Pi-mono
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T14:50:53.417Z

Reserved: 2026-04-04T13:50:06.661Z

Link: CVE-2026-5557

cve-icon Vulnrichment

Updated: 2026-04-06T14:33:57.870Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T10:16:19.720

Modified: 2026-04-24T18:14:34.620

Link: CVE-2026-5557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:56:56Z

Weaknesses